Sidewinder: Targeted attack against Android in the golden age of ad libraries

By 2014, the number of Android users has grown to 1.1 billion and the number of Android devices has reached 1.9 billion [1]. At the same time, enterprises are also embracing Android based Bring Your Own Device (BYOD) solutions. For example, in Intel’s BYOD program, there are over 20,000 Android devices across over 800 combinations of Android versions and hardware configurations [2].Although Google Play has little malware, there are many vulnerabilities in Android apps and the Android system itself. Aggressive ad libraries also leak the user’s private information. By combining altogether, an attacker can conduct more targeted attacks, which we call “Sidewinder Targeted Attacks”. In this paper, we explain the security risks from such attacks, in which an attacker can intercept private information like GPS location uploaded from ad libraries and use that information to precisely locate targeted areas such as a CEO’s office or some specific conference rooms. When the target is identified,“Sidewinder Targeted Attack” exploits popular vulnerabilities in ad libraries, such as Javascript-bindingover-HTTP or dynamic-loading-over-HTTP, etc. It is a well-known challenge for an attacker to call Android services from injected native code which doesn’t have Android application context. We explain how attackers can invoke Android services for tasks such as taking photos, calling phone numbers, sending SMS, reading/writing the clipboard, etc. Furthermore, the attackers can exploit several Android vulnerabilities to get valuable private information or to launch more advanced attacks. Finally, we show that this threat is not only real but also prevalent due to …